Service + Vendor + Sub-service Risk
Survey-based risk assessment across service organization, vendor TPRM, and sub-service organization carve-out / inclusive scoping.
- Sub-service org register live
- Vendor TPRM integrated
- Risk register tied to TSC
For B2B SaaS + Service Organizations + Multi-Product CSPs
The enterprise deal is ready to close, then their procurement team asks for your current report and a stack of security questionnaires, and the deal stalls for weeks while you chase evidence. More than 90% of enterprise buyers now require a current report before they sign. Most SaaS teams keep that proof scattered across binders, spreadsheets, and an auditor's email thread, and rebuild it from scratch every cycle. RiskWatch runs it as one program: assess every product against one control library, keep the evidence audit-ready year round, and answer the buyer's questionnaire in days, not weeks.
Trusted by B2B SaaS, multi-product CSPs, and enterprise service organizations managing SOC 2 Type II + ISO 27001 dual surveillance, multi-product carve-out scoping, the CUEC ecosystem, and 380+ enterprise customer audits across cloud, AI, and platform-as-a-service categories.





Why VPs of Trust + Security Pick RiskWatch
RiskWatch gives one team a single program covering every product, every customer review, and every audit cycle. Score a control once and it answers your auditor, your ISO 27001 surveillance, and the buyer's security questionnaire at the same time, so you stop rebuilding the same proof in three formats. When the next enterprise deal asks for evidence, it is already there, no enterprise-bank GRC overhead to produce it.
Answer a control once and it satisfies your report, your ISO 27001 surveillance, and the questionnaires buyers send, so you stop maintaining the same proof in parallel binders. (SOC 2 Type I and Type II, ISO 27001:2022 Annex A with its 93 controls, NIST CSF 2.0, CSA STAR, and SIG Lite + Core share one evidence library.)
See which customers still owe their control attestations, and which gaps would stall the report, before the auditor flags them. (The CUEC tracker shows which customers have attested to which Complementary User Entity Controls across Type I point-in-time and Type II 6-to-12-month operating-effectiveness windows.)
Run each product's posture on its own, then roll the whole company up to one consolidated report. Built for multi-product SaaS. (Sub-service organization carve-out vs inclusive method tracked. Live in 30 days, not 6 months.)
The SOC 2 Attestation Landscape
More than 90% of enterprise procurement reviews require a current SOC 2 Type II. The 2017 Trust Services Criteria revision (still current) added the 'Common Criteria' framework + Additional Criteria for Availability / Processing Integrity / Confidentiality / Privacy. The 2022 AICPA Description Criteria DC-200 update aligned SOC 2 reporting with COSO ERM. ISO 42001:2023 (AI management) is becoming the SOC 2 add-on of choice for AI-native SaaS. The CUEC ecosystem keeps growing as customers cite missing CUEC attestations as audit-blocking findings.
Three Domains, One Platform
RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single TSC assessment satisfies the SOC 2 Common Criteria, the relevant Additional Criteria, the corresponding ISO 27001 Annex A control, and the NIST CSF 2.0 mapping simultaneously.
Survey-based risk assessment across service organization, vendor TPRM, and sub-service organization carve-out / inclusive scoping.
Common Criteria, Additional Criteria, the 5 Trust Services Criteria, and the cross-mapped ISO + NIST + CSA STAR libraries.
Type I point-in-time, Type II operating-effectiveness, and the CUEC customer-attestation ecosystem tracked in one place.
SOC 2 Type II · CUEC Spotlight
Complementary User Entity Controls, user-access provisioning, annual access reviews, BYOK key rotation, audit-log review, MFA enforcement, are the controls SOC 2 reports require customersto perform. When customers don't actually perform them, the report is audit-meaningless. The CUEC tracker shows which customers have attested to which CUECs, surfaces gaps before the auditor finds them, and routes missing attestations back into the trust-portal workflow.
The Coverage Gap
Compliance automation tools handle Security TSC. Vendor risk platforms cover sub-service orgs. Audit-prep specialty handles document collection. Each does one job. VPs of Trust still operate four parallel programs across products, customers, and audit cycles.
| Platform Category | TSC | Type I | Type II | CUEC | Cross-mapping | Multi-product |
|---|---|---|---|---|---|---|
| Compliance AutomationDrata, Vanta, Secureframe | Yes | Yes | Yes | Partial | Partial | Partial |
| Generic GRCServiceNow GRC, Archer | Partial | Partial | Partial | Partial | Partial | Partial |
| Audit-Prep SpecialtyAuditBoard, Workiva | Partial | Partial | Yes | · | Yes | Partial |
| Vendor Risk ToolsOneTrust VRM, ProcessUnity | · | · | · | Partial | · | Partial |
| ISO 27001 SpecialtyBSI Connect, Conformio | · | · | · | · | Yes | · |
| Spreadsheets & Email | · | · | · | · | · | · |
| RiskWatchThe unified auditor-ready platform | Yes | Yes | Yes | Yes | Yes | Yes |
RiskWatch is the only platform covering all six SOC 2 compliance domains: Trust Services Criteria, Type I, Type II, the CUEC ecosystem, ISO 27001 + NIST CSF cross-mapping, and multi-product coordination. Compliance automation handles security TSC. Audit-prep tools handle documents. Vendor risk handles sub-services. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.
How It Works
RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture Trust Services Criteria posture, control implementation, and CUEC attestations in a consistent format, then scored against every framework you align to.
For SOC 2, that workflow runs continuously across the 5 TSC, Type I + Type II evidence, the CUEC ecosystem, sub-service org scoping, ISO 27001:2022, NIST CSF 2.0, CSA STAR, SIG, and HITRUST. A single TSC control assessment scores against the SOC 2 Common Criteria, the corresponding ISO 27001 Annex A control, the NIST CSF mapping, and the customer SIG response simultaneously.
The same platform runs all of it, surfaces gaps before auditor arrival, assigns remediation owners, and tracks completion. Replace the compliance-automation tool, the GRC platform, the vendor portal, and the customer-audit response binder between them.
Built For Your Role
Owns enterprise trust posture, multi-framework attestation strategy, and the customer-facing security program for 380+ enterprise customers.
SOC 2 Type II + ISO 27001 dual surveillance live. Customer-facing trust portal continuous. Customer SIG response time tracked.Owns the SOC 2 audit cycle, ISO 27001 surveillance, CSA STAR submission, and the cross-framework control mapping.
Type II evidence vault live. ISO 27001 Annex A mapped. CSA STAR submission ready. Cross-framework gaps surfaced.Owns the technical Security TSC controls, threat modeling, vulnerability management, and the CC6 / CC7 / CC8 control families.
All Security TSC controls scored. CC6/7/8 evidence captured. Vulnerability tracking integrated. Pen-test cycle continuous.Owns the customer-facing trust portal, the SOC 2 report distribution + customer audit responses, and CUEC attestation.
Trust portal live. Customer SIG + CAIQ + custom-questionnaire responses generated. CUEC tracker shows attested vs missing.Owns the Privacy TSC additional criteria, GDPR + CCPA cross-mapping, and DPA / customer-data-processing addendum tracking.
Privacy TSC controls scored. GDPR + CCPA cross-walked. DPA register live. Customer data subject requests tracked.Owns internal audit cycles, COSO ERM mapping per DC-200, sub-service organization risk, and the residual-risk register.
Internal audit cycle continuous. DC-200 description ready. Sub-service org register live. Residual risk register tied to TSCs.Built For Your Segment
Enterprise B2B SaaS running multi-product Type II + ISO 27001 dual surveillance with 100+ enterprise customers conducting their own audits.
Multi-product cloud service providers running per-product Type II with consolidated reporting + sub-service org carve-out / inclusive method scoping.
AI-native SaaS adding ISO 42001:2023 AI management as the SOC 2 add-on, with model-governance + responsible-AI controls in scope.
Fintech and embedded-finance platforms running SOC 2 alongside SOC 1 ICFR, PCI DSS, and state lending licenses.
HealthTech running SOC 2 + HIPAA + HITRUST CSF, with the BAA cascade and PHI flows in scope alongside the standard TSCs.
Outsourced HR, payroll, billing, customer service, and managed-services providers running SOC 2 for client procurement diligence.
Frameworks We Cover
RiskWatch ships with pre-built libraries for every major attestation + assurance + cross-mapped framework. Map controls once. Score against the framework that matters this audit cycle.
Trusted by 500+ risk and compliance teams
















We were running SOC 2 in Drata, ISO 27001 in a separate spreadsheet, the customer trust portal in a third tool, and CUEC tracking in Notion. Now it's one platform. Type II evidence, ISO 27001 Annex A mapping, the CUEC tracker, and customer SIG responses all run from the same evidence vault. Our last Type II audit closed with two findings instead of nine, and we cut customer-audit response time from 11 days to 2.
Resources
Type II · TSC · CUEC-ready
30-minute walkthrough of the SOC 2 library, your product + customer + sub-service-org inputs, and the auditor-ready evidence-trail output. No slideware, no consulting upsell.
Or call US: +1 941-500-4525